Fabric OS Encryption Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP ISL Trunking Kit

171

172

173

174

175

176

177

178

179

180

Fabric OS Encryption Administrator’s Guide 153

53-1002159-03

Crypto LUN configuration

Moving a CryptoTarget container

You can move a CryptoTarget container from one encryption engine to another. The encryption

engines must be part of the same fabric and the same encryption group, and the encryption

engines must be online for this operation to succeed. This operation permanently transfers the

encryption engine association of a given CryptoTarget container from an existing encryption engine

to an alternate encryption engine.

NOTE

If a CryptoTarget container is moved in a configuration involving FCR, the LSAN zones and manually

created redirect zones will need to be reconfigured with new VI and VT WWNs. Refer to the section

“Deployment in Fibre Channel routed fabrics” on page 183 for instructions on configuring

encryption in an FCR deployment scenario.

1. Log in to the group leader as Admin or FabricAdmin.

2. Enter the cryptocfg

--move -container command followed by the CryptoTarget container name

and the node WWN of the encryption engine to which you are moving the CryptoTarget

container. Provide a slot number if the encryption engine is a blade.

FabricAdmin:switch>cryptocfg --move -container my_disk_tgt \

10:00:00:05:1e:53:4c:91

Operation Succeeded

3. Commit the transaction.

FabricAdmin:switch>cryptocfg --commit

Operation Succeeded

Crypto LUN configuration

A Crypto LUN is the LUN of a target disk or tape storage device that is enabled for and capable of

data-at-rest encryption. Crypto LUN configuration is done on a per-LUN basis. You configure the

LUN for encryption by explicitly adding the LUN to the CryptoTarget container and turning on the

encryption property and policies on the LUN. Any LUN of a given target that is not enabled for

encryption must still be added to the CryptoTarget container with the cleartext policy option.

• The general procedures described in this section apply to both disk and tape LUNs. The

specific configuration procedures differ with regard to encryption policy and parameter setting.

• You configure the Crypto LUN on the group leader. You need the FabricAdmin role to perform

LUN configuration tasks.

• There is a maximum of 512 Disk LUNs per Initiator in a container.

• There is a maximum of 8 Tape LUNs per Initiator in a container.

CAUTION

When configuring a LUN with multiple paths (which means the LUN is exposed and configured on

multiple Crypto Target containers located on the same Encryption switch or blade or on different

encryption switches or blades), the same LUN policies must be configured on all of the LUN’s

paths. Failure to configure all LUN paths with the same LUN policies results in data corruption. If